Scribd
Upload
37 views3 pages

Handy Linux Iptables Script

This document provides a script for setting up a simple iptables firewall on a Linux web server, including instructions for creating necessary configuration files for blacklisting and whitelisting IP addresses and allowed ports. It includes flood detection settings for TCP-SYN and ping floods, as well as logging capabilities for potential attacks. Users are advised to rerun the script after making changes to the configuration files to apply the new rules.

Uploaded by

nideham547
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
37 views3 pages

Handy Linux Iptables Script

This document provides a script for setting up a simple iptables firewall on a Linux web server, including instructions for creating necessary configuration files for blacklisting and whitelisting IP addresses and allowed ports. It includes flood detection settings for TCP-SYN and ping floods, as well as logging capabilities for potential attacks. Users are advised to rerun the script after making changes to the configuration files to apply the new rules.

Uploaded by

nideham547
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 3

http://www.gagme.com/greg/linux/raid-lvm.

php- RAID help

Handy Linux iptables script

by Hersey on Apr.23, 2009, under My Notes, Networking, Tools

Here is a script I put together some years ago to create a simple


Iptables firewall on my linux webserver. Some of the code was
borrowed from a linux security book but I do not remember which
one. Anyway it is a pretty handy script to give you some control and
protection.

First create three files in /usr/local/etc:

ipblack.lst – this file contains a list of ip addresses you want to


blacklist. One ip or subnet per line.

Example:

94.178.222.17
87.0.0.0/8

ipwhite.lst – this file contains a list of ip addresses that you allow


unrestricted access (Be careful with this). One ip or subnet per line.
Make sure you add localhost to this file.

Example:

localhost
10.10.1.1 #Home IP Address

ports.lst – this file contains a list of ports you allow.

Example:

22 #SSH
25 #SMTP
53 #DNS/Domain
80 #HTTPD
443 #HTTPS

Add this iptables.sh script to /usr/local/sbin


#!/bin/sh

#Iptables for webserver

IPTABLES=/sbin/iptables
WHITELIST=/usr/local/etc/ipwhite.lst
BLACKLIST=/usr/local/etc/ipblack.lst
PORTSLIST=/usr/local/etc/ports.lst

#—-Flood Variables—–#

# Overall Limit for TCP-SYN-Flood detection


TCPSYNLIMIT=”5/s”
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST=”10″

# Overall Limit for Loggging in Logging-Chains


LOGLIMIT=”2/s”
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST=”10″

# Overall Limit for Ping-Flood-Detection


PINGLIMIT=”5/s”

# Burst Limit for Ping-Flood-Detection


PINGLIMITBURST=”10″

#Clear any current filters


$IPTABLES -F

#Process Whitelist
for x in `grep -v ^# $WHITELIST | awk ‘{print $1}’`; do
echo “Permitting $x…”
$IPTABLES -A INPUT -t filter -s $x -j ACCEPT
done

#Process Blacklist
for x in `grep -v ^# $BLACKLIST | awk ‘{print $1}’`; do
echo “Blocking $x…”
#$IPTABLES -A INPUT -t filter -s $x -j LOG
$IPTABLES -A INPUT -t filter -s $x -j DROP
done

#Allow Ports list


for port in `grep -v ^# $PORTSLIST | awk ‘{print $1}’`; do
echo “Accepting port $port…”
$IPTABLES -A INPUT -t filter -p tcp –dport $port -j ACCEPT
done

$IPTABLES -A INPUT -t filter -p tcp –syn -j DROP

#ICMP TIMESTAMP REQUEST AND REPLY


$IPTABLES -A INPUT -p icmp –icmp-type timestamp-request -j DROP
$IPTABLES -A FORWARD -p icmp –icmp-type timestamp-request -j
DROP

#Logging of possible TCP-SYN-Floods


$IPTABLES -N LSYNFLOOD
$IPTABLES -A LSYNFLOOD -m limit –limit $LOGLIMIT –limit-burst
$LOGLIMITBURST -j LOG –log-prefix “fp=SYNFLOOD:1 a=DROP ”
$IPTABLES -A LSYNFLOOD -j DROP

#INVALID SYN packets


$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags ALL ACK,RST,SYN,FIN -
j DROP
$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags SYN,FIN SYN,FIN -j
DROP
$IPTABLES -A INPUT -i eth0 -p tcp –tcp-flags SYN,RST SYN,RST -j
DROP

#Logging of possible Ping-Floods


$IPTABLES -N LPINGFLOOD
$IPTABLES -A LPINGFLOOD -m limit –limit $LOGLIMIT –limit-burst
$LOGLIMITBURST -j LOG –log-prefix “fp=PINGFLOOD:1 a=DROP ”
$IPTABLES -A LPINGFLOOD -j DROP

Add /usr/local/sbin/iptables.sh to rc.local so that it runs when the


machine starts up.

Anytime you make changes to the ipblack.lst, ipwhite.lst, or ports.lst


files rerun the iptables.sh script to apply the rules.

The script also applies iptable rules to help protect against ping
floods, SYN flood, and invalid SYN packets.

You might also like